Update, Jan. 4, 2025: This story, originally published Jan. 3, now includes additional information regarding the double-clickjacking hack threat, along with a comment from a security expert on how such hack attacks are evolving.
Hundreds of millions of web users have been warned about a new and dangerous cyber attack that doesn’t care what browser you use—as long as you click twice. Here’s everything you need to know about the double-clickjacking hack attack.
Don’t Click Twice Warning As New Hack Attack Confirmed
Application security and client-side offensive exploit researcher Paulos Yibelo, with a long history of discovering vulnerabilities and novel security threats, has revealed what could be the new attack methodology with the biggest reach of them all—everyone using a web browser. In a blog post detailing what is referred to as double clickjacking, Yibelo describes in technical detail how hackers can compromise your credentials when you double-click in Chrome, Edge, Safari or just about any web browser client.
This entirely new threat surface is exposed by the fact that hackers can trick the user of almost any website and almost any web browser into clicking something without even realizing they are doing it. It’s a new take on the old clickjacking attack which employed various methods to get users clicking on hidden or otherwise obfuscated web page elements. Clickjacking became obsolete when browser developers built protections into their software to prevent just such an attack. Double clickjacking, however, gets around these protections by adding another layer of attack that relies upon mouse double-click timing to get the victim to validate a login or some other account authorization while thinking they are clicking something else, like a CAPTCHA, that is on the screen at the time. The TL;DR, in other words, is that a new window is opened, and the user is asked to double-click on a prompt while, in the blink of an eye, the hacker is switching context to a different window altogether.
I have approached Apple, Google and Microsoft for a statement.
Why The Double Clickjack Hack Is So Dangerous
“While it might sound like a small change,” Yibelo said, double clickjacking “opens the door to new UI manipulation attacks that bypass all known clickjacking protections,” and “seemingly affects almost every website, leading to account takeovers on many major platforms.” Yibelo highlighted the following reasons why the hack attack is so dangerous:
- It can bypass existing clickjacking protections.
- It can impact more than just websites alone, with crypto wallets and smartphone attacks possible.
- It’s an entirely new attack surface for hackers to exploit.
- All websites are, by default, vulnerable to this hack attack.
- It only requires the target to double-click, nothing else.
“DoubleClickjacking is a sleight of hand around on a well-known attack class,” Yibelo said, “by exploiting the event timing between clicks, attackers can seamlessly swap out benign UI elements for sensitive ones in the blink of an eye.” This means that developers and security teams need to tighten their control over embedded or opener-based windows and be more vigilant about such things as multi-click patterns.
Evolution Of Hack Attacks Create Additional Challenges For Defenders
Totally unsurprisingly, reports of this double-clickjacking hack attack exploit have created great concern among users and cybersecurity professionals alike. “The marginal decreases in ransomware and malware over the past year,” Spencer Starkey, an executive vice president at content control and network security vendor SonicWall, said, “should not fool people, hackers have just changed their tactics.” There is no doubt that cyber attacks are constantly evolving, the proof is there in front of you in both articles that I write here at Forbes.com and the exploits that so many fall victim to. “Due to the speed at which new attacks are being created, they are more adaptive and difficult to detect,” Starkey said, “which poses an additional challenge for cybersecurity professionals.” From the high-level business perspective, this means looking to monitor their networks for suspicious activity constantly. “The sooner teams can flag a potential issue,” Starkey concluded, “the lower the risk of an attack.”
When it comes to attack mitigation, Yibelo said, “I’ve reported this issue to some sites, the results have been mixed. Most have chosen to address it while some have chosen not to.” As for end users, the advice for now has to be don’t click twice if you want to be sure not to fall victim to this new hack attack until in-browser mitigations are available.
Read the full article here